This week, Group-IB, an international company specializing in the prevention of cyberattacks and the development of information security products, helped police to detain hackers who had broken into the accounts of 700,000 customers of popular Internet stores, just a week after a Moscow court handed out jail sentences to twin brothers who had led a hacker group, after Group-IB investigators gave expert witness testimony to the court.

In the most recent case, Group-IB helped Russia’s Interior Ministry to detain two cybercriminals who were breaking into and stealing the accounts of loyalty program members from popular online stores, payment systems and bookmakers. The targets of the attack included PayPal, Ulmart, Biglion, KupiKupon and Groupon. In total, about 700,000 accounts were compromised, 2,000 of which the hackers put up for sale for $5 each, Group-IB said in a statement on Wednesday.

“The detainees admitted on the spot that they had earned at least 500,000 rubles ($8,000). However, the real amount of damage remains to be determined,” the statement said.

In the course of the investigation, Group-IB specialists established the identities of the intruders.

The investigation began in November 2015, after a large-scale cyberattack was made on the website of a large online store to gain access to the personal accounts of the store’s loyalty program members, who received bonuses for purchases. In a month, about 120,000 accounts were compromised, Group-IB said.

It was discovered that the attackers had collected compromised account information from various Internet services on hacker forums and used special programs to automatically guess passwords of accounts on the website of the online store.

“The cybercriminals took advantage of the fact that many users of the website use the same login/password pair on several resources,” Group-IB said.

“If the logins and passwords came up on the website of the store under attack, they hacked those personal accounts. The hackers checked the amount of the accumulated bonuses and sold the compromised accounts on hacker forums at a price of $5 per account or 20-30% of the nominal balance of the accounts. The buyers then used them to pay for products with the bonuses.”

To cover their tracks and hamper the companies’ security services, the hackers launched their attacks from different IP-addresses, using anonymizers and changing the digital fingerprint of the browser, Group-IB reported.

In the course of the investigation, Group-IB specialists established the identities of the intruders. The leader of the group was a resident of the Ryazan region, born in 1998, while his partner, who provided technical support for their joint online store, resided in the Astrakhan region and was born in 1997. In May 2018, both were detained by Russian police specialising in cybercrime. During a search, evidence of their unlawful activities was seized, along with narcotics. The detainees were charged with illegally accessing computer information and the illegal acquisition, storage or transportation of drugs. The suspects have confessed, and the investigation continues, according to Group-IB.

Twin hackers

Last week, the Savelovsky District Court of Moscow convicted members of the hacker group headed by twin brothers from St. Petersburg, Dmitry and Evgeny Popelysh. From March 2013 to May 2015, the Popelysh brothers’ group gained access to more than 7,000 customer accounts at leading Russian banks and stole more than 12.5 million rubles ($200,000). Group-IB’s forensic specialists were involved in the investigation and gave evidence as experts in court, helping to bring the Popelysh case to a successful court case.

The 23-year-old Popelysh twins made their first attacks on bank customers in 2010, in collaboration with Alexander Sarbin, a 19-year-old hacker from Kaliningrad, Group-IB said in a statement. The criminals infected users’ computers with the Trojan.Win32.VKhost virus, which, when opening the official online banking services of a major Russian bank, redirected the customer to a phishing page. On this page, under the pretext of a change in the security policy, the user was asked to enter a login, password and confirmation code from the bank’s scratch card. Using this data, the criminals withdrew money via an authentic remote banking site.

“In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers,” said Group-IB. “By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.”

The hackers were arrested in spring 2011 and in September 2012, the Chertanovsky District Court of Moscow sentenced them to 6 years’ imprisonment with 5 years’ probation. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware, automated the theft process, and continually updated the viruses themselves in order to avoid being detected by anti-virus systems, Group-IB said.

“The Popelysh twins headed a group which included ‘programmers,’ ‘traffers’ – people who spread the malware, ‘crypters’ – specialists who regularly updated the malware codes, ‘money mules’ – people who cashed the stolen money – and ‘callers,’” said Group-IB.

“The latter posed as bank employees and rang up customers who had left their card and telephone numbers on the fake website to persuade them to disclose the transfer confirmation code. This type of fraud is called vishing(voice phishing) – a type of phishing where voice communication is used to obtain confidential data.”

When officers cut through the metal door to the apartment where the Popelysh brothers were living, the pair attempted, in panic, to flush half a million rubles, flash drives, and SIM cards down the toilet.

From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7,000 customer accounts at various Russian banks and stole more than 12.5 million rubles. Each month, the brothers earned an average of 500,000 to 1.5 million rubles. They spent the money on purchasing property and foreign cars, such as a Porsche Cayenne and a BMW X5, according to Group-IB.

In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. Group-IB’s cyber forensic specialists and representatives from the group’s investigation department were called in as experts during the search. When officers cut through the metal door to the apartment where the Popelysh brothers were living, the pair attempted, in panic, to flush half a million rubles, flash drives, and SIM cards down the toilet. In case of a police raid, the brothers had even made an electromagnetic device to erase computer drives.

The Popelysh twins and their accomplices were charged with the creation and use of malicious computer programs, illegally accessing computer information and fraud and on June 18, Moscow’s Savelovsky District Court found all defendants guilty: Evgeny and Dmitry Popelysh were sentenced to 8 years’ imprisonment, Sarbin was given 6 years, and other gang members got four to five years, plus one suspended sentence.

“Due to the significant number of victims and the extensive amount of evidence gathered, the investigation and criminal proceedings in the Popelysh case lasted for almost three years,” says the head of Group-IB’s Investigation Department, Sergey Lupanin.

“It was only a few days ago, in 2018, that a trial took place, enabling the case to be brought to a logical end and a sentence to be passed. The first time around, the Popelysh twins received too mild a sentence – they were released on probation and resumed their old criminal ways. This time, the members of the group were given real sentences, 10 years’ imprisonment. The Popelysh case is a clear example that shows that cybercrime needs to be punished as severely as possible.”

"The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.”

Fake banking apps

Last month, a 32-year-old hacker was arrested on suspicion of stealing funds from Russian banks' customers using Android Trojans, in another case in which Group-IB provided the police with expert assistance. At the height of the hacker’s activity, victims reportedly lost between 1,500 to 8,000 dollars daily.

Group-IB analysed the tools and techniques leveraged in the group’s attack, revealing that the gang tricked customers of Russian banks into downloading a malicious mobile application that claimed to be an aggregator of the country’s leading mobile banking systems and promised users ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

“The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details,” said Group-IB.

“The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim's phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.”

The investigation by authorities identified a member of the criminal group who was responsible for transferring money from user accounts to attacker’s cards: a 32-year-old unemployed Russian national who had previous convictions connected to arms trafficking. The suspect has confessed and the investigation is ongoing.